Reputation: 4143
What is an X509 certificate profile?
I see the term "x509 profile" being used in a technical document on PKI that I am reading, but no explanation is given. I googled for what a "x509 profile" means but the results were not helpful. For example the wikipedia entry on x509 contains phrases like:
IPSec can use the RFC 4945 profile for authenticating peers.
The OpenCable security specification defines its own profile of X.509 for use in the cable industry.
And no where is the definition of a profile given. It seems it is assumed that the meaning of a profile is a given!
What exactly is a profile in x509 context? I know, from the word I can imagine it means some form classifications of x509, but the question is: what makes up this classification? What characteristics of an x509 are used to form these classifications/profiles? Where can one view all available classifications?
Upvotes: 2
Views: 686
Answers (1)
Reputation: 2297
A minimal certificate consists of a Name and a Public Key. The CA which signs this certificate asserts that the entity named owns the private key which matches this Public Key.
In addition to this, a certificate can (and more often than not, must) contain additional information. Examples are Issuer and Version fields, and Key Usage, Enhanced Key Usage and Subject Alternate Name extensions.
A certificate profile is a definition of the additional information. For example, section 5.1.3.2 Key Usage of RFC 4945 says:
A summary of the logic flow for peer cert validation follows:
If no KU extension, continue.
If KU present and doesn't mention digitalSignature or nonRepudiation (both, in addition to other KUs, is also fine), reject cert.
Section 5.1.3.6 goes on to describe the Subject Alternate Name expected for IPSec certificates.
Basically, the profile is a definition of how a certificate is expected to be generated for a certain use-case.
You can define your own certificate profiles, but you'd need to have a very good reason to do so. Most use-cases have been covered by existing profiles, so you may end up re-inventing the wheel.
RFC 5280 defines a profiles for X.509 certificates and CRLs for use on the Internet. It lists what is expected of a certificate by services operating on the Internet (as opposed to other networks such as X.25). The fields are fixed (section 4.1) and it also defines standard extensions. In addition to those, you can also define your own extensions. However, you'd need CAs that can create those certificates and clients that understand what to do with them.
Upvotes: 2
Related Questions
- What is CA certificate, and why do we need it?
- Understanding Subject Public Key Info definition and indentation
- In x509, what is the difference between the key-pair and the certificate?
- X509Chain.Build() method explanation
- What is meant by "Purpose " and its value in the Certificate verification?
- X.509 Self Signed Certificates
- Explain the Certificate Signature Value field of a X509 Digital Certificate
- Which parts of the certificate are signed?
- Open source certificate authority software
- x509 certificate Information